Lock patterns are more predictable than we thought

We have been using traditional passwords for a very long time, but Google only introduced lock patterns in 2008. It’s hard to perform thorough studies on such new methods, but this authentication technique is finally becoming more mature. Fast forward to 2015 and good research begins showing up, the latest (and likely biggest) one comes from Marte Løge from the Norwegain University of Science and Technology.

What this research shows us is quite worrisome, as it seems to entail we can be just as predictable with these handy lock figures as we are with our passwords. Løge collected about 4000 lock patterns by asking participants to create unlock gestures for supposed shopping apps, banking software and smartphone access.

“Humans are predictable. We’re seeing the same aspects used when creating a pattern lock [as are used in] pin codes and alphanumeric passwords.” -Marte Løge

There’s a reason why passwords like “password” and “123456789” exist. Splash Data recently gave us a list of the worst (and most popular) passwords, and seeing those will really open your eyes to this issue. As tech consumers, we look for the simplest route possible. It’s probably a main reason why lock patterns were even created. It’s an easier way to keep your phone protected, but we probably do have to sacrifice some level of security in order to obtain simpler unlock methods.

Even if this method was more effective, we must keep in mind a system is only strong when we know how to use it, and it seems many of us are making our lock patters way to simple. This will prove to be a danger once attackers learn more about our collective pattern choices.

Here are some of the most common lock pattern habits

44% of people usually start their patterns from the top-left corner dot.

77% of users started their patterns in one of the corners.

Most users used only 5 nodes, and a significant amount only used 4.

Over 10% of lock patters were made in the shape of a letter (often representing the first initial of the person, or a loved one).

Choosing better lock patterns

Let’s stop giving researchers data to analyze, guys. Remember these devices hold your whole digital life; we shouldn’t protect something like that with a lackluster pattern. I’ll give you some of my favorite tips for making Android lock patterns more complex.

Don’t use your first initial as a pattern. Seriously, that is like making your debit card PIN your birth date. That’s a huge no!

We simplify our security and forget Android lock pattern lines can go over each other. If you have more crossovers, it’s harder for an attacker to predict your pattern.

Try to make your patterns longer! You can use up to 9 nodes, guys! Why are we sticking with 4-5? In fact, you can get away with using 8 nodes and have the same amount of possible combinations as if you were using 9.

Of course, try to take the common pattern habits mentioned above and do the opposite. Try to start your pattern from a node that is not in a corner and avoid the common top-left period.

It’s this type of information that makes me more of a biometrics advocate. Creating our own security authentication has proven to be a weak solution (in a greater scale, of course). Fingerprint readers, retina scanners and face recognition are very secure methods that can be harder to spoof.

But what do you guys think? Are you a fan of lock patterns? Mostly for convenience, or for security?